Docket No. IPOL-0002 

Amendments to the Claims ; 

This listing of claims will replace all prior versions, and listings, of claims in the application: 

1 . (Currently Amended) A method for enforcing a plurality of different policies on a stream 
of packets, the method comprising: 

receiving a packet; 

appending an extension to the packet; 
determining session information regarding the packet; 
updating the extension with the session information; 
forwarding the packet to a packet policy rule engine module; 

determinin g, at the packet policy rule engine module, whether the packet corresponds to a 
common condition for a first policy rule and a second policy rule, the first policy 
rule belonging to a first policy type and the second policy rule belonging to a 
second policy type that differs from the first policy type; and 

providin g, at the packet policy rule engine module, an association between the first 
packet and the common condition where it is determined that the packet 
corresponds to the common condition ; and 

updating the extension with the association . 

2. (Currently Amended) The method of claim 1, further comprising: 

appending an e xt e nsion to the pack e t and updating at l e ast a first bit location in th e 
ext e nsion to provide the association b e tw e en th e pack e t and the common 
condition. 

forwarding the packet to an application decode engine module; 
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determining, at the application engine decode module, whether the packet corresponds to 
an application rule; 

if the packet corresponds to an application rule, at the application engine decode module, 
updating the extension with application information from the application rule; and 

wherein said forwarding the packet to a packet policy rule engine module includes 
forwarding the packet from the application engine decode module to a packet 
policy rule engine module. 

3. (Original) The method of claim 1, further comprising: 

determining whether the packet corresponds to a first particular condition for the first 

policy rule as compared to the second policy rule; and 
determining applicability of the first policy rule to the packet where it is determined that 

the common condition and the first particular condition correspond to the packet. 

4. (Currently Amended) The method of claim I 3, further comprising: 
app e nding an extension to th e pack e t; 

updating at l e ast a first bit location in th e e xtension to provide th e association b e tw ee n 

the pack e t and th e common condition; and 
updating at least a s e cond bit location in th e extension to provid e th e association b e tw e en 

the packet and th e first particular condition. 
, wherein said appending an extension to the packet occurs at an extension builder 
module. 
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5. (Original) The method of claim 3, wherein determining applicability of the first 
policy rule to the packet comprises: 

traversing a rule tree corresponding to the first policy rule, the rule tree having a first path 
corresponding to the first rule, the first path including the common condition and 
the first particular condition, wherein presence of the common condition and the 
first particular condition prompts a determination that the first policy rule is 
applicable to the packet. 

6. (Original) The method of claim 1 , wherein the first policy type is a firewall policy 
and the second policy type is a quality of service policy. 

7. (Original) The method of claim 1, wherein the first and second policy types are 
selected from the following policy types: firewall, quality of service, intrusion detection. 

8. (Currently Amended) The method of claim 4>, further comprising: 

creating a s e ssion for a plurality of s e ssion relat e d packets including th e pack e t; and 
determining whether th e pack e t corresponds to th e common condition as e vid e nc e d from 

th e cr e at e d s e ssion. 
wherein said determining session information regarding the packet and said 

updating the extension with the session information occur at a session manager 

module. 



9-13. (Canceled). 
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14. (Currently Amended) An apparatus for enforcing a plurality of different policies on a 
stream of packets, the apparatus comprising: 

means for receiving a packet; 

means for appending an extension to the packet; 

means for determining session information regarding the packet; 

means for updating the extension with the session information; 

means for forwarding the packet to a packet policy rule engine module; 

means for determinin g, at the packet policy rule engine module, whether the packet 

corresponds to a common condition for a first policy rule and a second policy rule, 
the first policy rule belonging to a first policy type and the second policy rule 
belonging to a second policy type that differs from the first policy type; aad 

means for providin g, at the packet policy rule engine module, an association between the 
first packet and the common condition where it is determined that the packet 
corresponds to the common condition ; and 

means for updating the extension with the association . 



15. (Currently Amended) The apparatus of claim 14, further comprising: 

means for app e nding an e xtension to th e packet and updating at least a first bit location in 
the e xt e nsion to provide th e association betw ee n th e pack e t and th e common 
condition, forwarding the packet to an application decode engine module; 
means for determining, at the application engine decode module, whether the packet 

corresponds to an application rule; 
means for, if the packet corresponds to an application rule, at the application engine 
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decode module, updating the extension with application information from the 
a pplication rule; and 

wherein said means for forwarding the packet to a packet policy rule engine module 
includes means for forwarding the packet from the application engine decode 
module to a packet policy rule engine module. 

16. (Original) The apparatus of claim 14, further comprising: 

means for determining whether the packet corresponds to a first particular condition for 
the first policy rule as compared to the second policy rule, determining 
applicability of the first policy rule to the packet where it is determined that the 
common condition and the first particular condition correspond to the packet. 

17. (Currently Amended) The apparatus of claim 14 16, further comprising: 

moans for appending an ext e nsion to th e packet, updating at least a first bit location in th e 
extension to provide th e association b e tw e en the packet and the common 
condition, and updating at l e ast a s e cond bit location in th e e xt e nsion to provide 
the association betwe e n th e pack e t and th e first particular condition. 

. wherein said means for appending an extension to the packet builder includes an 
extension builder module. 

1 8 . (Original) The apparatus of claim 1 6, wherein determining applicability of the first 
policy rule to the packet comprises traversing a rule tree corresponding to the first policy rule, the 
rule tree having a first path corresponding to the first rule, the first path including the common 
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condition and the first particular condition, wherein presence of the common condition and the 
first particular condition prompts a determination that the first policy rule is applicable to the 
packet. 

1 9. (Original) The apparatus of claim 1 4, wherein the first policy type is a firewall policy 
and the second policy type is a quality of service policy. 

20. (Original) The apparatus of claim 14, wherein the first and second policy types are 
selected from the following policy types: firewall, quality of service, intrusion detection. 

2 1 . (Currently Amended) The apparatus of claim 17 14, further comprising: 

moans for cr e ating a s e ssion for a plurality of s e ssion related pack e ts including the 

packet, and d e termining whether th e packet corresponds to the common condition 
as evidenc e d from th e created session. 
wherein said means for determining session information reearding the packet and said 
means for updating the extension with the session information include a session manager 
module. 

22-26. (Canceled) 

27. (Currently Amended) An apparatus for enforcing a plurality of different policies on a 
stream of packets, the apparatus comprising: 

an extension builder module configured to receive a packet, a ppending an extension to 
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the packet, and forward the packet to a session manager module; 

said session manager module configured to receive the packet, determine session 
information regarding the packet, update the extension with the session 
information, and forward the packet to an application decode engine module; 

said application decode engine module configured to determine if the packet corresponds 
to an application rule, update the extension with application information from the 
application if the packet corresponds to an application rule, and forward the 
packet to a packet policy rule engine module; and 

said packet policy rule engine module configured to determine whether the packet 

corresponds to a common condition for a first policy rule and a second policy rule, 
the first policy rule belonging to a first policy type and the second policy rule 
belonging to a second policy type that differs from the first policy type, provide an 
association between the first packet and the common condition where it is 
determined that the packet corresponds to the common condition, and update the 
extension with the association. 

an infrastructure pack e t proc e ssing modul e group, which r e c e iv e s a pack e t; d e t e rmines 

wh e th e r th e pack e t corr e sponds to a common condition for a first policy rul e and a 
s e cond policy rul e , th e first policy rul e b e longing to a first policy typ e and th e 
s e cond policy rul e b e longing to a s e cond policy typ e that diff e rs from th e first 
policy type, and provid e s an association betwoon th e first pack e t and th e common 
condition wh e r e it is d e t e rmin e d that th e packet corr e sponds to th e common 
condition. 
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28. (Canceled) 

29. (Currently Amended) The apparatus of claim 27, wherein said packet policy rule engine 
module is further configured to: 

determine whether the packet corresponds to a first particular condition for the first 
policy rule as compared to the second policy rule; and 

determine applicability of the first policy rule to the packet where it is determined that the 
common condition and the first particular condition correspond to the packet. 
furth e r comprising: 

a first policy processing modul e , in communication with th e infrastructur e pack e t 

processing modul e group, which determines wh e th e r th e pack e t corresponds to a 
first particular condition for th e first policy rule as compared to th e second policy 

rule, and d e t e rmin e s applicability of the first policy rul e to the packet wh e r e it is 
determin e d that the common condition and the first particular condition 
correspond to th e packet. 

30. (Canceled). 

3 1 . (Currently Amended) The apparatus of claim 29, wherein the packet policy rule engine 
module is further configured to traverse det e rmining applicability of th e first policy rule to th e 
pack e t comprises traversing a rule tree corresponding to the first policy rule, the rule tree having 
a first path corresponding to the first rule, the first path including the common condition and the 
first particular condition, wherein presence of the common condition and the first particular 
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condition prompts a determination that the first policy rule is applicable to the packet. 

32. (Original) The apparatus of claim 27, wherein the first policy type is a firewall policy 
and the second policy type is a quality of service policy. 

33. (Original) The apparatus of claim 27, wherein the first and second policy types are 
selected from the following policy types: firewall, quality of service, intrusion detection. 

34-39. (Canceled). 
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